From d561e98c9595f841fa2dae19b7c9db9cfc8c31a6 Mon Sep 17 00:00:00 2001 From: joniumGit <52005121+joniumGit@users.noreply.github.com> Date: Thu, 21 May 2026 23:23:57 +0300 Subject: [PATCH 1/3] Change nuget feed to use a safeDialer Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com> --- internal/handlers/nuget_feed.go | 5 +++-- internal/handlers/nuget_feed_test.go | 4 ++-- internal/handlers/oidc_handling_test.go | 10 +++++----- proxy.go | 2 +- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/internal/handlers/nuget_feed.go b/internal/handlers/nuget_feed.go index 4191dc0..a48c697 100644 --- a/internal/handlers/nuget_feed.go +++ b/internal/handlers/nuget_feed.go @@ -48,14 +48,15 @@ type nugetFeedCredentials struct { } // NewNugetFeedHandler returns a new NugetFeedHandler. -func NewNugetFeedHandler(creds config.Credentials) *NugetFeedHandler { +func NewNugetFeedHandler(creds config.Credentials, transport http.RoundTripper) *NugetFeedHandler { handler := NugetFeedHandler{ credentials: []nugetFeedCredentials{}, oidcRegistry: oidc.NewOIDCRegistry(), } httpClient := &http.Client{ - Timeout: time.Second * 10, + Timeout: time.Second * 10, + Transport: transport, } for _, cred := range creds { diff --git a/internal/handlers/nuget_feed_test.go b/internal/handlers/nuget_feed_test.go index a4c3c39..3f15c36 100644 --- a/internal/handlers/nuget_feed_test.go +++ b/internal/handlers/nuget_feed_test.go @@ -133,7 +133,7 @@ func TestNugetFeedHandler(t *testing.T) { // Log for initial authentication contains appropriate information var buf bytes.Buffer log.SetOutput(&buf) - handler := NewNugetFeedHandler(credentials) + handler := NewNugetFeedHandler(credentials, nil) logContents := buf.String() assert.False(t, strings.Contains(logContents, "* authenticating nuget feed request (host: api.nuget.org, bearer auth)"), "don't authenticate a feed without a token or password") assert.True(t, strings.Contains(logContents, "unauthorized for nuget feed https://nuget.example.com/auth-required/v3"), "authentication failure is reported") @@ -336,7 +336,7 @@ func TestExtraAuthenticatedURLsAreReportedInTheLog(t *testing.T) { var buf bytes.Buffer log.SetOutput(&buf) - NewNugetFeedHandler(credentials) + NewNugetFeedHandler(credentials, nil) logContents := buf.String() assert.True(t, strings.Contains(logContents, " added url to authentication list: https://nuget.example.com/v3/packages"), "include PackageBaseAddress") diff --git a/internal/handlers/oidc_handling_test.go b/internal/handlers/oidc_handling_test.go index b95aee9..6310bdb 100644 --- a/internal/handlers/oidc_handling_test.go +++ b/internal/handlers/oidc_handling_test.go @@ -968,7 +968,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NuGet", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNugetFeedHandler(creds) + return NewNugetFeedHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1001,7 +1001,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NuGet", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNugetFeedHandler(creds) + return NewNugetFeedHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1031,7 +1031,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NuGet", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNugetFeedHandler(creds) + return NewNugetFeedHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1060,7 +1060,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NuGet", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNugetFeedHandler(creds) + return NewNugetFeedHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1091,7 +1091,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NuGet", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNugetFeedHandler(creds) + return NewNugetFeedHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ diff --git a/proxy.go b/proxy.go index 1f4c42d..4546034 100644 --- a/proxy.go +++ b/proxy.go @@ -109,7 +109,7 @@ func newProxy(envSettings config.ProxyEnvSettings, cfg *config.Config, blockedIp rubyGemsServerHandler := handlers.NewRubyGemsServerHandler(cfg.Credentials) proxy.OnRequest().DoFunc(rubyGemsServerHandler.HandleRequest) - nugetFeedHandler := handlers.NewNugetFeedHandler(cfg.Credentials) + nugetFeedHandler := handlers.NewNugetFeedHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(nugetFeedHandler.HandleRequest) mavenRepositoryHandler := handlers.NewMavenRepositoryHandler(cfg.Credentials) From 05d669902fa4cd452bcc73ddc7dc065c62dc2f71 Mon Sep 17 00:00:00 2001 From: joniumGit <52005121+joniumGit@users.noreply.github.com> Date: Thu, 21 May 2026 23:56:41 +0300 Subject: [PATCH 2/3] Adds missing audience validation Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com> --- internal/oidc/actions_oidc.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/oidc/actions_oidc.go b/internal/oidc/actions_oidc.go index 4f52de5..d186e91 100644 --- a/internal/oidc/actions_oidc.go +++ b/internal/oidc/actions_oidc.go @@ -602,6 +602,9 @@ func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParamete if params.OrgName == "" { return nil, fmt.Errorf("org name is required") } + if params.Audience == "" { + return nil, fmt.Errorf("audience is required") + } if githubToken == "" { return nil, fmt.Errorf("GitHub token is required") } From 5f4dae3291bf6cc06474c7141159b137b54a9fbe Mon Sep 17 00:00:00 2001 From: joniumGit <52005121+joniumGit@users.noreply.github.com> Date: Thu, 21 May 2026 23:57:21 +0300 Subject: [PATCH 3/3] Uses safeDialer everywhere Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com> --- internal/handlers/cargo_registry.go | 6 +- internal/handlers/cargo_registry_test.go | 2 +- internal/handlers/composer.go | 4 +- internal/handlers/composer_test.go | 2 +- internal/handlers/docker_registry.go | 2 +- internal/handlers/goproxy_server_handler.go | 4 +- .../handlers/goproxy_server_handler_test.go | 2 +- internal/handlers/helm_registry.go | 4 +- internal/handlers/helm_registry_test.go | 2 +- internal/handlers/hex_repository.go | 6 +- internal/handlers/hex_repository_test.go | 2 +- internal/handlers/maven_repository.go | 4 +- internal/handlers/maven_repository_test.go | 2 +- internal/handlers/npm_registry.go | 4 +- internal/handlers/npm_registry_test.go | 2 +- internal/handlers/nuget_feed.go | 2 +- internal/handlers/oidc_handling_test.go | 126 +++++++++--------- internal/handlers/pub_repository.go | 6 +- internal/handlers/pub_repository_test.go | 2 +- internal/handlers/python_index.go | 6 +- internal/handlers/python_index_test.go | 2 +- internal/handlers/rubygems_server.go | 4 +- internal/handlers/rubygems_server_test.go | 2 +- internal/handlers/terraform_registry.go | 4 +- internal/handlers/terraform_registry_test.go | 12 +- internal/oidc/actions_oidc.go | 47 +++---- internal/oidc/actions_oidc_test.go | 10 +- internal/oidc/oidc_credential.go | 18 ++- internal/oidc/oidc_credential_test.go | 6 +- internal/oidc/oidc_registry.go | 15 ++- internal/oidc/oidc_registry_test.go | 46 +++---- proxy.go | 22 +-- 32 files changed, 185 insertions(+), 193 deletions(-) diff --git a/internal/handlers/cargo_registry.go b/internal/handlers/cargo_registry.go index b875d84..d24f375 100644 --- a/internal/handlers/cargo_registry.go +++ b/internal/handlers/cargo_registry.go @@ -43,10 +43,10 @@ type cargoRepositoryCredentials struct { authorization string } -func NewCargoRegistryHandler(credentials config.Credentials) *CargoRegistryHandler { +func NewCargoRegistryHandler(credentials config.Credentials, transport http.RoundTripper) *CargoRegistryHandler { handler := CargoRegistryHandler{ credentials: []cargoRepositoryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, credential := range credentials { @@ -63,7 +63,7 @@ func NewCargoRegistryHandler(credentials config.Credentials) *CargoRegistryHandl if oidcCred, _, _ := handler.oidcRegistry.Register(credential, []string{"url"}, "cargo registry"); oidcCred != nil { continue } - } else if oidcCred, _ := oidc.CreateOIDCCredential(credential); oidcCred != nil { + } else if oidcCred, _ := oidc.CreateOIDCCredential(credential, transport); oidcCred != nil { continue } diff --git a/internal/handlers/cargo_registry_test.go b/internal/handlers/cargo_registry_test.go index e4a0d75..7cf8227 100644 --- a/internal/handlers/cargo_registry_test.go +++ b/internal/handlers/cargo_registry_test.go @@ -46,7 +46,7 @@ func TestCargoRegistryHandler(t *testing.T) { }, } - handler := NewCargoRegistryHandler(credentials) + handler := NewCargoRegistryHandler(credentials, nil) // valid request, should authenticate url := validURL diff --git a/internal/handlers/composer.go b/internal/handlers/composer.go index 2865fad..85f41a0 100644 --- a/internal/handlers/composer.go +++ b/internal/handlers/composer.go @@ -26,10 +26,10 @@ type composerCredentials struct { } // NewComposerHandler returns a new ComposerHandler. -func NewComposerHandler(creds config.Credentials) *ComposerHandler { +func NewComposerHandler(creds config.Credentials, transport http.RoundTripper) *ComposerHandler { handler := ComposerHandler{ credentials: []composerCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/composer_test.go b/internal/handlers/composer_test.go index cb437ad..a802244 100644 --- a/internal/handlers/composer_test.go +++ b/internal/handlers/composer_test.go @@ -64,7 +64,7 @@ func TestComposerHandler(t *testing.T) { "token": "", }, } - handler := NewComposerHandler(credentials) + handler := NewComposerHandler(credentials, nil) req := httptest.NewRequest("GET", "https://phpreg.bigco.com/somepkg", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/docker_registry.go b/internal/handlers/docker_registry.go index 4d6ce1a..131dabd 100644 --- a/internal/handlers/docker_registry.go +++ b/internal/handlers/docker_registry.go @@ -40,7 +40,7 @@ func NewDockerRegistryHandler(creds config.Credentials, transport http.RoundTrip handler := DockerRegistryHandler{ credentials: []*dockerRegistryCredentials{}, transport: transport, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } if getECRClient == nil { diff --git a/internal/handlers/goproxy_server_handler.go b/internal/handlers/goproxy_server_handler.go index 64e6eff..74ed7d0 100644 --- a/internal/handlers/goproxy_server_handler.go +++ b/internal/handlers/goproxy_server_handler.go @@ -24,10 +24,10 @@ type goProxyServerCredentials struct { } // NewGoProxyServerHandler returns a new GoProxyServerHandler. -func NewGoProxyServerHandler(creds config.Credentials) *GoProxyServerHandler { +func NewGoProxyServerHandler(creds config.Credentials, transport http.RoundTripper) *GoProxyServerHandler { handler := GoProxyServerHandler{ credentials: []goProxyServerCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/goproxy_server_handler_test.go b/internal/handlers/goproxy_server_handler_test.go index 84849a9..67f4dbc 100644 --- a/internal/handlers/goproxy_server_handler_test.go +++ b/internal/handlers/goproxy_server_handler_test.go @@ -36,7 +36,7 @@ func TestGoProxyHandler(t *testing.T) { "password": deltaForcePassword, }, } - handler := NewGoProxyServerHandler(credentials) + handler := NewGoProxyServerHandler(credentials, nil) req := httptest.NewRequest("GET", "https://corp.dependabot.com/packages/somepkg", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/helm_registry.go b/internal/handlers/helm_registry.go index 981c6a6..64d8acf 100644 --- a/internal/handlers/helm_registry.go +++ b/internal/handlers/helm_registry.go @@ -24,10 +24,10 @@ type helmRegistryCredentials struct { } // NewHelmRegistryHandler returns a new HelmRegistryHandler. -func NewHelmRegistryHandler(creds config.Credentials) *HelmRegistryHandler { +func NewHelmRegistryHandler(creds config.Credentials, transport http.RoundTripper) *HelmRegistryHandler { handler := HelmRegistryHandler{ credentials: []helmRegistryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/helm_registry_test.go b/internal/handlers/helm_registry_test.go index d0e07c7..64e213c 100644 --- a/internal/handlers/helm_registry_test.go +++ b/internal/handlers/helm_registry_test.go @@ -31,7 +31,7 @@ func TestHelmRegistryHandler(t *testing.T) { "password": bigCoPassword, }, } - handler := NewHelmRegistryHandler(credentials) + handler := NewHelmRegistryHandler(credentials, nil) req := httptest.NewRequest("GET", "https://helmreg.bigco.com/some_chart", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/hex_repository.go b/internal/handlers/hex_repository.go index 94c0f80..20f59af 100644 --- a/internal/handlers/hex_repository.go +++ b/internal/handlers/hex_repository.go @@ -23,10 +23,10 @@ type hexRepositoryCredentials struct { authKey string } -func NewHexRepositoryHandler(creds config.Credentials) *HexRepositoryHandler { +func NewHexRepositoryHandler(creds config.Credentials, transport http.RoundTripper) *HexRepositoryHandler { handler := HexRepositoryHandler{ credentials: []hexRepositoryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { @@ -43,7 +43,7 @@ func NewHexRepositoryHandler(creds config.Credentials) *HexRepositoryHandler { if oidcCred, _, _ := handler.oidcRegistry.Register(cred, []string{"url"}, "hex repository"); oidcCred != nil { continue } - } else if oidcCred, _ := oidc.CreateOIDCCredential(cred); oidcCred != nil { + } else if oidcCred, _ := oidc.CreateOIDCCredential(cred, transport); oidcCred != nil { continue } diff --git a/internal/handlers/hex_repository_test.go b/internal/handlers/hex_repository_test.go index 791697b..1bb4565 100644 --- a/internal/handlers/hex_repository_test.go +++ b/internal/handlers/hex_repository_test.go @@ -29,7 +29,7 @@ func TestHexRepositoryHandler(t *testing.T) { validPath := "/repos/my_wonderful_repo/version" - handler := NewHexRepositoryHandler(credentials) + handler := NewHexRepositoryHandler(credentials, nil) // valid request, should authenticate url := validConfigUrl + validPath diff --git a/internal/handlers/maven_repository.go b/internal/handlers/maven_repository.go index 40f59fe..497cf31 100644 --- a/internal/handlers/maven_repository.go +++ b/internal/handlers/maven_repository.go @@ -25,10 +25,10 @@ type mavenRepositoryCredentials struct { } // NewMavenRepositoryHandler returns a new MavenRepositoryHandler. -func NewMavenRepositoryHandler(creds config.Credentials) *MavenRepositoryHandler { +func NewMavenRepositoryHandler(creds config.Credentials, transport http.RoundTripper) *MavenRepositoryHandler { handler := MavenRepositoryHandler{ credentials: []mavenRepositoryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/maven_repository_test.go b/internal/handlers/maven_repository_test.go index add1ce0..59cabb7 100644 --- a/internal/handlers/maven_repository_test.go +++ b/internal/handlers/maven_repository_test.go @@ -36,7 +36,7 @@ func TestMavenRepositoryHandler(t *testing.T) { "password": deltaForcePassword, }, } - handler := NewMavenRepositoryHandler(credentials) + handler := NewMavenRepositoryHandler(credentials, nil) req := httptest.NewRequest("GET", "https://corp.dependabot.com/packages/somepkg", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/npm_registry.go b/internal/handlers/npm_registry.go index 04b04ff..0804c75 100644 --- a/internal/handlers/npm_registry.go +++ b/internal/handlers/npm_registry.go @@ -28,10 +28,10 @@ type npmRegistryCredentials struct { } // NewNPMRegistryHandler returns a new NPMRegistryHandler, -func NewNPMRegistryHandler(creds config.Credentials) *NPMRegistryHandler { +func NewNPMRegistryHandler(creds config.Credentials, transport http.RoundTripper) *NPMRegistryHandler { handler := NPMRegistryHandler{ credentials: []npmRegistryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/npm_registry_test.go b/internal/handlers/npm_registry_test.go index d89f1c7..456176a 100644 --- a/internal/handlers/npm_registry_test.go +++ b/internal/handlers/npm_registry_test.go @@ -41,7 +41,7 @@ func TestNPMRegistryHandler(t *testing.T) { "token": privateRegToken, }, } - handler := NewNPMRegistryHandler(credentials) + handler := NewNPMRegistryHandler(credentials, nil) req := httptest.NewRequest("GET", "https://registry.npmjs.org/private-package", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/nuget_feed.go b/internal/handlers/nuget_feed.go index a48c697..989c668 100644 --- a/internal/handlers/nuget_feed.go +++ b/internal/handlers/nuget_feed.go @@ -51,7 +51,7 @@ type nugetFeedCredentials struct { func NewNugetFeedHandler(creds config.Credentials, transport http.RoundTripper) *NugetFeedHandler { handler := NugetFeedHandler{ credentials: []nugetFeedCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } httpClient := &http.Client{ diff --git a/internal/handlers/oidc_handling_test.go b/internal/handlers/oidc_handling_test.go index 6310bdb..7ad3eb9 100644 --- a/internal/handlers/oidc_handling_test.go +++ b/internal/handlers/oidc_handling_test.go @@ -46,7 +46,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Cargo", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewCargoRegistryHandler(creds) + return NewCargoRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -71,7 +71,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Cargo", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewCargoRegistryHandler(creds) + return NewCargoRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -93,7 +93,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Cargo", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewCargoRegistryHandler(creds) + return NewCargoRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -114,7 +114,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Cargo", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewCargoRegistryHandler(creds) + return NewCargoRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -137,7 +137,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Cargo", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewCargoRegistryHandler(creds) + return NewCargoRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -161,7 +161,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Composer", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewComposerHandler(creds) + return NewComposerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -186,7 +186,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Composer", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewComposerHandler(creds) + return NewComposerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -208,7 +208,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Composer", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewComposerHandler(creds) + return NewComposerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -230,7 +230,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Composer", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewComposerHandler(creds) + return NewComposerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -253,7 +253,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Composer", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewComposerHandler(creds) + return NewComposerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -278,7 +278,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Docker", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewDockerRegistryHandler(creds, &http.Transport{}, nil) + return NewDockerRegistryHandler(creds, nil, nil) }, credentials: config.Credentials{ config.Credential{ @@ -303,7 +303,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Docker", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewDockerRegistryHandler(creds, &http.Transport{}, nil) + return NewDockerRegistryHandler(creds, nil, nil) }, credentials: config.Credentials{ config.Credential{ @@ -325,7 +325,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Docker with URL", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewDockerRegistryHandler(creds, &http.Transport{}, nil) + return NewDockerRegistryHandler(creds, nil, nil) }, credentials: config.Credentials{ config.Credential{ @@ -346,7 +346,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Docker", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewDockerRegistryHandler(creds, &http.Transport{}, nil) + return NewDockerRegistryHandler(creds, nil, nil) }, credentials: config.Credentials{ config.Credential{ @@ -369,7 +369,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Docker", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewDockerRegistryHandler(creds, &http.Transport{}, nil) + return NewDockerRegistryHandler(creds, nil, nil) }, credentials: config.Credentials{ config.Credential{ @@ -393,7 +393,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Go proxy", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewGoProxyServerHandler(creds) + return NewGoProxyServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -418,7 +418,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Go proxy with host", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewGoProxyServerHandler(creds) + return NewGoProxyServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -440,7 +440,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Go proxy", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewGoProxyServerHandler(creds) + return NewGoProxyServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -461,7 +461,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Go proxy", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewGoProxyServerHandler(creds) + return NewGoProxyServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -484,7 +484,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Go proxy", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewGoProxyServerHandler(creds) + return NewGoProxyServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -508,7 +508,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Helm registry", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHelmRegistryHandler(creds) + return NewHelmRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -533,7 +533,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Helm registry", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHelmRegistryHandler(creds) + return NewHelmRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -555,7 +555,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Helm registry with url", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHelmRegistryHandler(creds) + return NewHelmRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -576,7 +576,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Helm registry", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHelmRegistryHandler(creds) + return NewHelmRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -599,7 +599,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Helm registry", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHelmRegistryHandler(creds) + return NewHelmRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -623,7 +623,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Hex", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHexRepositoryHandler(creds) + return NewHexRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -648,7 +648,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Hex", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHexRepositoryHandler(creds) + return NewHexRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -670,7 +670,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Hex", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHexRepositoryHandler(creds) + return NewHexRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -691,7 +691,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Hex", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHexRepositoryHandler(creds) + return NewHexRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -714,7 +714,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Hex", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewHexRepositoryHandler(creds) + return NewHexRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -738,7 +738,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Maven", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewMavenRepositoryHandler(creds) + return NewMavenRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -763,7 +763,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Maven", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewMavenRepositoryHandler(creds) + return NewMavenRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -785,7 +785,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Maven", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewMavenRepositoryHandler(creds) + return NewMavenRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -806,7 +806,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Maven", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewMavenRepositoryHandler(creds) + return NewMavenRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -829,7 +829,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Maven", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewMavenRepositoryHandler(creds) + return NewMavenRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -853,7 +853,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NPM", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNPMRegistryHandler(creds) + return NewNPMRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -878,7 +878,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NPM", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNPMRegistryHandler(creds) + return NewNPMRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -900,7 +900,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NPM", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNPMRegistryHandler(creds) + return NewNPMRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -921,7 +921,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NPM", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNPMRegistryHandler(creds) + return NewNPMRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -944,7 +944,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "NPM", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewNPMRegistryHandler(creds) + return NewNPMRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1123,7 +1123,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Pub", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPubRepositoryHandler(creds) + return NewPubRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1148,7 +1148,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Pub", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPubRepositoryHandler(creds) + return NewPubRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1170,7 +1170,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Pub", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPubRepositoryHandler(creds) + return NewPubRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1191,7 +1191,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Pub", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPubRepositoryHandler(creds) + return NewPubRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1214,7 +1214,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Pub", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPubRepositoryHandler(creds) + return NewPubRepositoryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1238,7 +1238,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Python", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPythonIndexHandler(creds) + return NewPythonIndexHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1263,7 +1263,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Python", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPythonIndexHandler(creds) + return NewPythonIndexHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1285,7 +1285,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Python", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPythonIndexHandler(creds) + return NewPythonIndexHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1306,7 +1306,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Python", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPythonIndexHandler(creds) + return NewPythonIndexHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1329,7 +1329,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Python", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewPythonIndexHandler(creds) + return NewPythonIndexHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1353,7 +1353,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "RubyGems", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewRubyGemsServerHandler(creds) + return NewRubyGemsServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1378,7 +1378,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "RubyGems", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewRubyGemsServerHandler(creds) + return NewRubyGemsServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1400,7 +1400,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "RubyGems", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewRubyGemsServerHandler(creds) + return NewRubyGemsServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1422,7 +1422,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "RubyGems", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewRubyGemsServerHandler(creds) + return NewRubyGemsServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1446,7 +1446,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "RubyGems", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewRubyGemsServerHandler(creds) + return NewRubyGemsServerHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1471,7 +1471,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Terraform", provider: "aws", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewTerraformRegistryHandler(creds) + return NewTerraformRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1496,7 +1496,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Terraform with host", provider: "azure", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewTerraformRegistryHandler(creds) + return NewTerraformRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1518,7 +1518,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Terraform", provider: "jfrog", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewTerraformRegistryHandler(creds) + return NewTerraformRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1539,7 +1539,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Terraform", provider: "cloudsmith", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewTerraformRegistryHandler(creds) + return NewTerraformRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1562,7 +1562,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) { name: "Terraform", provider: "gcp", handlerFactory: func(creds config.Credentials) oidcHandler { - return NewTerraformRegistryHandler(creds) + return NewTerraformRegistryHandler(creds, nil) }, credentials: config.Credentials{ config.Credential{ @@ -1728,7 +1728,7 @@ func TestPythonOIDCSimpleSuffixStripping(t *testing.T) { }, } - handler := NewPythonIndexHandler(creds) + handler := NewPythonIndexHandler(creds, nil) // /+simple/ should be stripped → registered as /org/feed-A/ reqA := httptest.NewRequest("GET", "https://pkgs.example.com/org/feed-A/pkg/a", nil) @@ -1779,7 +1779,7 @@ func TestNPMOIDCSameHostDifferentPaths(t *testing.T) { }, } - handler := NewNPMRegistryHandler(creds) + handler := NewNPMRegistryHandler(creds, nil) // Request to feed-A path should get token A reqA := httptest.NewRequest("GET", "https://pkgs.example.com/org/feed-A/some-package", nil) @@ -1832,7 +1832,7 @@ func TestTerraformOIDCSameHostDifferentPaths(t *testing.T) { }, } - handler := NewTerraformRegistryHandler(creds) + handler := NewTerraformRegistryHandler(creds, nil) // Request to feed-A path should get token A reqA := httptest.NewRequest("GET", "https://terraform.example.com/org/feed-A/v1/providers/org/name", nil) diff --git a/internal/handlers/pub_repository.go b/internal/handlers/pub_repository.go index a3bae5a..dca2cda 100644 --- a/internal/handlers/pub_repository.go +++ b/internal/handlers/pub_repository.go @@ -25,10 +25,10 @@ type pubRepositoryCredentials struct { token string } -func NewPubRepositoryHandler(credentials config.Credentials) *PubRepositoryHandler { +func NewPubRepositoryHandler(credentials config.Credentials, transport http.RoundTripper) *PubRepositoryHandler { handler := PubRepositoryHandler{ credentials: []pubRepositoryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, credential := range credentials { @@ -45,7 +45,7 @@ func NewPubRepositoryHandler(credentials config.Credentials) *PubRepositoryHandl if oidcCred, _, _ := handler.oidcRegistry.Register(credential, []string{"url"}, "pub repository"); oidcCred != nil { continue } - } else if oidcCred, _ := oidc.CreateOIDCCredential(credential); oidcCred != nil { + } else if oidcCred, _ := oidc.CreateOIDCCredential(credential, transport); oidcCred != nil { continue } diff --git a/internal/handlers/pub_repository_test.go b/internal/handlers/pub_repository_test.go index ba850ac..cf727bf 100644 --- a/internal/handlers/pub_repository_test.go +++ b/internal/handlers/pub_repository_test.go @@ -46,7 +46,7 @@ func TestPubRepositoryHandler(t *testing.T) { }, } - handler := NewPubRepositoryHandler(credentials) + handler := NewPubRepositoryHandler(credentials, nil) // valid request, should authenticate url := validURL diff --git a/internal/handlers/python_index.go b/internal/handlers/python_index.go index ef69f9a..cd4af4a 100644 --- a/internal/handlers/python_index.go +++ b/internal/handlers/python_index.go @@ -30,10 +30,10 @@ type pythonIndexCredentials struct { } // NewPythonIndexHandler returns a new PythonIndexHandler. -func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler { +func NewPythonIndexHandler(creds config.Credentials, transport http.RoundTripper) *PythonIndexHandler { handler := PythonIndexHandler{ credentials: []pythonIndexCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { @@ -43,7 +43,7 @@ func NewPythonIndexHandler(creds config.Credentials) *PythonIndexHandler { indexURL := cred.GetString("index-url") - oidcCredential, _ := oidc.CreateOIDCCredential(cred) + oidcCredential, _ := oidc.CreateOIDCCredential(cred, transport) if oidcCredential != nil { // Normalize the registration URL by stripping the /simple or /+simple // suffix, matching how static credentials are matched at request time. diff --git a/internal/handlers/python_index_test.go b/internal/handlers/python_index_test.go index eb3d554..ed9e484 100644 --- a/internal/handlers/python_index_test.go +++ b/internal/handlers/python_index_test.go @@ -47,7 +47,7 @@ func TestPythonIndexHandler(t *testing.T) { "token": fmt.Sprintf("%s:%s", deltaForceUser, deltaForcePassword), }, } - handler := NewPythonIndexHandler(credentials) + handler := NewPythonIndexHandler(credentials, nil) req := httptest.NewRequest("GET", "https://corp.dependabot.com/pyreg", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/rubygems_server.go b/internal/handlers/rubygems_server.go index cb9829a..783e11c 100644 --- a/internal/handlers/rubygems_server.go +++ b/internal/handlers/rubygems_server.go @@ -25,10 +25,10 @@ type rubyGemsServerCredentials struct { } // NewRubyGemsServerHandler returns a new RubyGemsServerHandler. -func NewRubyGemsServerHandler(creds config.Credentials) *RubyGemsServerHandler { +func NewRubyGemsServerHandler(creds config.Credentials, transport http.RoundTripper) *RubyGemsServerHandler { handler := RubyGemsServerHandler{ credentials: []rubyGemsServerCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, cred := range creds { diff --git a/internal/handlers/rubygems_server_test.go b/internal/handlers/rubygems_server_test.go index 443cd0d..891c23a 100644 --- a/internal/handlers/rubygems_server_test.go +++ b/internal/handlers/rubygems_server_test.go @@ -37,7 +37,7 @@ func TestRubyGemsServerHandler(t *testing.T) { "token": fmt.Sprintf("%s:%s", pathUser, pathPassword), }, } - handler := NewRubyGemsServerHandler(credentials) + handler := NewRubyGemsServerHandler(credentials, nil) req := httptest.NewRequest("GET", "https://corp.dependabot.com/gems", nil) req = handleRequestAndClose(handler, req, nil) diff --git a/internal/handlers/terraform_registry.go b/internal/handlers/terraform_registry.go index df6b09c..6dda264 100644 --- a/internal/handlers/terraform_registry.go +++ b/internal/handlers/terraform_registry.go @@ -24,10 +24,10 @@ type terraformRegistryCredentials struct { token string } -func NewTerraformRegistryHandler(credentials config.Credentials) *TerraformRegistryHandler { +func NewTerraformRegistryHandler(credentials config.Credentials, transport http.RoundTripper) *TerraformRegistryHandler { handler := TerraformRegistryHandler{ credentials: []terraformRegistryCredentials{}, - oidcRegistry: oidc.NewOIDCRegistry(), + oidcRegistry: oidc.NewOIDCRegistry(transport), } for _, credential := range credentials { diff --git a/internal/handlers/terraform_registry_test.go b/internal/handlers/terraform_registry_test.go index e7b00c9..9862a7f 100644 --- a/internal/handlers/terraform_registry_test.go +++ b/internal/handlers/terraform_registry_test.go @@ -58,7 +58,7 @@ func TestTerraformRegistryHandler(t *testing.T) { } for _, tt := range tests { t.Run(strings.Join([]string{tt.registryType, tt.host, tt.token}, " "), func(t *testing.T) { - handler := NewTerraformRegistryHandler(tt.credentials) + handler := NewTerraformRegistryHandler(tt.credentials, nil) request := handleRequestAndClose(handler, httptest.NewRequest("GET", tt.url, nil), nil) @@ -67,7 +67,7 @@ func TestTerraformRegistryHandler(t *testing.T) { } t.Run("HandleRequest without credentials", func(t *testing.T) { - handler := NewTerraformRegistryHandler(config.Credentials{}) + handler := NewTerraformRegistryHandler(config.Credentials{}, nil) url := "https://registry.terraform.io/v1/providers/org/name/versions" request := handleRequestAndClose(handler, httptest.NewRequest("GET", url, nil), nil) @@ -80,7 +80,7 @@ func TestTerraformRegistryHandler(t *testing.T) { config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org1", "token": "token-org1"}, config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org2", "token": "token-org2"}, } - handler := NewTerraformRegistryHandler(credentials) + handler := NewTerraformRegistryHandler(credentials, nil) // Request to org1 path should use org1 token req1 := handleRequestAndClose(handler, httptest.NewRequest("GET", "https://terraform.example.com/org1/v1/providers/foo", nil), nil) @@ -99,7 +99,7 @@ func TestTerraformRegistryHandler(t *testing.T) { credentials := config.Credentials{ config.Credential{"type": "terraform_registry", "host": "terraform.example.org", "token": ""}, } - handler := NewTerraformRegistryHandler(credentials) + handler := NewTerraformRegistryHandler(credentials, nil) assert.Equal(t, 0, len(handler.credentials), "should skip credential with empty token") }) @@ -107,7 +107,7 @@ func TestTerraformRegistryHandler(t *testing.T) { credentials := config.Credentials{ config.Credential{"type": "terraform_registry", "token": "some-token"}, } - handler := NewTerraformRegistryHandler(credentials) + handler := NewTerraformRegistryHandler(credentials, nil) assert.Equal(t, 0, len(handler.credentials), "should skip credential with empty host and url") }) @@ -117,7 +117,7 @@ func TestTerraformRegistryHandler(t *testing.T) { config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org", "token": "token-org"}, config.Credential{"type": "terraform_registry", "url": "https://terraform.example.com/org1", "token": "token-org1"}, } - handler := NewTerraformRegistryHandler(credentials) + handler := NewTerraformRegistryHandler(credentials, nil) assert.Equal(t, "https://terraform.example.com/org1", handler.credentials[0].url, "longer path should be first") assert.Equal(t, "https://terraform.example.com/org", handler.credentials[1].url, "shorter path should be second") diff --git a/internal/oidc/actions_oidc.go b/internal/oidc/actions_oidc.go index d186e91..5c4805f 100644 --- a/internal/oidc/actions_oidc.go +++ b/internal/oidc/actions_oidc.go @@ -227,7 +227,7 @@ type OIDCAccessToken struct { // githubToken: The GitHub Actions OIDC token obtained via GetTokenForAzureADExchange // // Returns an Azure AD access token scoped for Azure DevOps (499b84ac-1321-427f-aa17-267ca6975798/.default) -func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, githubToken string) (*OIDCAccessToken, error) { +func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { if params.TenantID == "" { return nil, fmt.Errorf("tenant ID is required") } @@ -251,10 +251,6 @@ func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, github formData.Set("client_assertion", githubToken) formData.Set("grant_type", "client_credentials") - client := &http.Client{ - Timeout: 10 * time.Second, - } - req, err := http.NewRequestWithContext(ctx, "POST", tokenURL, strings.NewReader(formData.Encode())) if err != nil { return nil, fmt.Errorf("failed to create Azure token request: %w", err) @@ -295,7 +291,7 @@ func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, github // GetAzureAccessTokenForDevOps is a convenience function that combines fetching the GitHub OIDC token // and exchanging it for an Azure AD access token in a single call. -func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameters) (*OIDCAccessToken, error) { +func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("GitHub Actions OIDC is not configured") } @@ -307,7 +303,7 @@ func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameter } // Exchange for Azure token - azureToken, err := GetAzureAccessToken(ctx, params, githubToken) + azureToken, err := GetAzureAccessToken(ctx, params, githubToken, client) if err != nil { return nil, fmt.Errorf("failed to exchange GitHub token for Azure token: %w", err) } @@ -323,7 +319,7 @@ func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameter // githubToken: The GitHub Actions OIDC token obtained via GetToken // // Returns a JFrog access token -func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, githubToken string) (*OIDCAccessToken, error) { +func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { if params.JFrogURL == "" { return nil, fmt.Errorf("token URL base is required") } @@ -358,9 +354,6 @@ func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, github req.Header.Set("Content-Type", "application/json") req.Header.Set("User-Agent", "dependabot-proxy/1.0") - client := &http.Client{ - Timeout: 10 * time.Second, - } resp, err := client.Do(req) if err != nil { return nil, fmt.Errorf("failed to execute JFrog token request: %w", err) @@ -396,7 +389,7 @@ func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, github }, nil } -func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameters) (*OIDCAccessToken, error) { +func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("GitHub Actions OIDC is not configured") } @@ -408,7 +401,7 @@ func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameter } // Exchange for JFrog token - jfrogToken, err := GetJFrogAccessToken(ctx, params, githubToken) + jfrogToken, err := GetJFrogAccessToken(ctx, params, githubToken, client) if err != nil { return nil, fmt.Errorf("failed to exchange GitHub token for JFrog token: %w", err) } @@ -424,7 +417,7 @@ func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameter // githubToken: The GitHub Actions OIDC token obtained via GetToken // // Returns temporary AWS credentials -func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToken string) (*OIDCAccessToken, error) { +func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { if params.Region == "" { return nil, fmt.Errorf("AWS region is required") } @@ -452,10 +445,6 @@ func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToke formData.Set("RoleSessionName", "dependabot-update") formData.Set("WebIdentityToken", githubToken) - client := &http.Client{ - Timeout: 10 * time.Second, - } - req, err := http.NewRequestWithContext(ctx, "POST", awsCodeArtifactSTSRequestUrl, strings.NewReader(formData.Encode())) if err != nil { return nil, fmt.Errorf("failed to create AWS credential request: %w", err) @@ -572,7 +561,7 @@ func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToke }, nil } -func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters) (*OIDCAccessToken, error) { +func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("GitHub Actions OIDC is not configured") } @@ -584,7 +573,7 @@ func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters) ( } // Exchange for AWS token - awsToken, err := GetAWSAccessToken(ctx, params, githubToken) + awsToken, err := GetAWSAccessToken(ctx, params, githubToken, client) if err != nil { return nil, fmt.Errorf("failed to exchange GitHub token for AWS token: %w", err) } @@ -592,7 +581,7 @@ func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters) ( return awsToken, nil } -func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParameters, githubToken string) (*OIDCAccessToken, error) { +func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { if params.ServiceSlug == "" { return nil, fmt.Errorf("service slug is required") } @@ -629,9 +618,6 @@ func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParamete req.Header.Set("Accept", "application/json") req.Header.Set("User-Agent", "dependabot-proxy/1.0") - client := &http.Client{ - Timeout: 10 * time.Second, - } resp, err := client.Do(req) if err != nil { return nil, fmt.Errorf("failed to execute cloudsmith token request: %w", err) @@ -663,7 +649,7 @@ func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParamete }, nil } -func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOIDCParameters) (*OIDCAccessToken, error) { +func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("GitHub Actions OIDC is not configured") } @@ -674,7 +660,7 @@ func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOID return nil, fmt.Errorf("failed to get GitHub OIDC token: %w", err) } - cloudsmithToken, err := GetCloudsmithAccessToken(ctx, params, githubToken) + cloudsmithToken, err := GetCloudsmithAccessToken(ctx, params, githubToken, client) if err != nil { return nil, fmt.Errorf("failed to exchange GitHub token for cloudsmith token: %w", err) } @@ -682,7 +668,7 @@ func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOID return cloudsmithToken, nil } -func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToken string) (*OIDCAccessToken, error) { +func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { if params.WorkloadIdentityProvider == "" { return nil, fmt.Errorf("workload-identity-provider is required") } @@ -717,9 +703,6 @@ func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToke stsReq.Header.Set("Accept", "application/json") stsReq.Header.Set("User-Agent", "dependabot-proxy/1.0") - client := &http.Client{ - Timeout: 10 * time.Second, - } stsResp, err := client.Do(stsReq) if err != nil { return nil, fmt.Errorf("failed to execute GCP STS request: %w", err) @@ -817,7 +800,7 @@ func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToke }, nil } -func GetGCPAccessTokenForDevOps(ctx context.Context, params GCPOIDCParameters) (*OIDCAccessToken, error) { +func GetGCPAccessTokenForDevOps(ctx context.Context, params GCPOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("GitHub Actions OIDC is not configured") } @@ -828,7 +811,7 @@ func GetGCPAccessTokenForDevOps(ctx context.Context, params GCPOIDCParameters) ( return nil, fmt.Errorf("failed to get GitHub OIDC token: %w", err) } - gcpToken, err := GetGCPAccessToken(ctx, params, githubToken) + gcpToken, err := GetGCPAccessToken(ctx, params, githubToken, client) if err != nil { return nil, fmt.Errorf("failed to exchange GitHub token for GCP token: %w", err) } diff --git a/internal/oidc/actions_oidc_test.go b/internal/oidc/actions_oidc_test.go index 92db843..fad6301 100644 --- a/internal/oidc/actions_oidc_test.go +++ b/internal/oidc/actions_oidc_test.go @@ -458,7 +458,7 @@ func TestGetAzureAccessToken(t *testing.T) { TenantID: tt.tenantID, ClientID: tt.clientID, } - azureToken, err = GetAzureAccessToken(ctx, params, tt.githubToken) + azureToken, err = GetAzureAccessToken(ctx, params, tt.githubToken, http.DefaultClient) if tt.expectError { require.Error(t, err) @@ -633,7 +633,7 @@ func TestGetJFrogAccessToken(t *testing.T) { Audience: tt.audience, IdentityMappingName: tt.identityMappingName, } - jfrogToken, err = GetJFrogAccessToken(ctx, params, tt.githubToken) + jfrogToken, err = GetJFrogAccessToken(ctx, params, tt.githubToken, http.DefaultClient) if tt.expectError { require.Error(t, err) @@ -822,7 +822,7 @@ func TestGetAWSAccessToken(t *testing.T) { Domain: tt.domain, DomainOwner: tt.domainOwner, } - awsToken, err = GetAWSAccessToken(ctx, params, tt.githubToken) + awsToken, err = GetAWSAccessToken(ctx, params, tt.githubToken, http.DefaultClient) if tt.expectError { require.Error(t, err) @@ -1001,7 +1001,7 @@ func TestGetCloudsmithAccessToken(t *testing.T) { })) } - cloudsmithToken, err = GetCloudsmithAccessToken(ctx, tt.params, tt.githubToken) + cloudsmithToken, err = GetCloudsmithAccessToken(ctx, tt.params, tt.githubToken, http.DefaultClient) if tt.expectError { require.Error(t, err) @@ -1319,7 +1319,7 @@ func TestGetGCPAccessToken(t *testing.T) { })) } - gcpToken, err := GetGCPAccessToken(ctx, tt.params, tt.githubToken) + gcpToken, err := GetGCPAccessToken(ctx, tt.params, tt.githubToken, http.DefaultClient) if tt.expectError { require.Error(t, err) diff --git a/internal/oidc/oidc_credential.go b/internal/oidc/oidc_credential.go index d3d591a..67f49ab 100644 --- a/internal/oidc/oidc_credential.go +++ b/internal/oidc/oidc_credential.go @@ -3,6 +3,7 @@ package oidc import ( "context" "fmt" + "net/http" "net/url" "sync" "time" @@ -74,13 +75,14 @@ type OIDCCredential struct { tokenExpiry time.Time isRejected bool mutex sync.RWMutex + httpClient *http.Client } func (c *OIDCCredential) Provider() string { return c.parameters.Name() } -func CreateOIDCCredential(cred config.Credential) (*OIDCCredential, error) { +func CreateOIDCCredential(cred config.Credential, transport http.RoundTripper) (*OIDCCredential, error) { if !IsOIDCConfigured() { return nil, fmt.Errorf("OIDC is not configured") } @@ -173,6 +175,10 @@ func CreateOIDCCredential(cred config.Credential) (*OIDCCredential, error) { return &OIDCCredential{ parameters: parameters, + httpClient: &http.Client{ + Timeout: 10 * time.Second, + Transport: transport, + }, }, nil } @@ -201,15 +207,15 @@ func GetOrRefreshOIDCToken(cred *OIDCCredential, ctx context.Context) (string, e var err error switch params := cred.parameters.(type) { case *AzureOIDCParameters: - oidcAccessToken, err = GetAzureAccessTokenForDevOps(ctx, *params) + oidcAccessToken, err = GetAzureAccessTokenForDevOps(ctx, *params, cred.httpClient) case *JFrogOIDCParameters: - oidcAccessToken, err = GetJFrogAccessTokenForDevOps(ctx, *params) + oidcAccessToken, err = GetJFrogAccessTokenForDevOps(ctx, *params, cred.httpClient) case *AWSOIDCParameters: - oidcAccessToken, err = GetAWSAccessTokenForDevOps(ctx, *params) + oidcAccessToken, err = GetAWSAccessTokenForDevOps(ctx, *params, cred.httpClient) case *CloudsmithOIDCParameters: - oidcAccessToken, err = GetCloudsmithAccessTokenForDevOps(ctx, *params) + oidcAccessToken, err = GetCloudsmithAccessTokenForDevOps(ctx, *params, cred.httpClient) case *GCPOIDCParameters: - oidcAccessToken, err = GetGCPAccessTokenForDevOps(ctx, *params) + oidcAccessToken, err = GetGCPAccessTokenForDevOps(ctx, *params, cred.httpClient) default: return "", fmt.Errorf("unsupported OIDC provider: %s", cred.Provider()) } diff --git a/internal/oidc/oidc_credential_test.go b/internal/oidc/oidc_credential_test.go index 643c719..adeeac8 100644 --- a/internal/oidc/oidc_credential_test.go +++ b/internal/oidc/oidc_credential_test.go @@ -30,7 +30,7 @@ func TestSuccessfulAuthenticationDoesNotMakeARepeatedRequest(t *testing.T) { creds, err := CreateOIDCCredential(config.Credential{ "tenant-id": "test-tenant-id", "client-id": "test-client-id", - }) + }, nil) if err != nil { t.Fatalf("unexpected error creating OIDC credential: %v", err) } @@ -106,7 +106,7 @@ func TestFailedAuthenticationIsNotRetried(t *testing.T) { creds, err := CreateOIDCCredential(config.Credential{ "tenant-id": "test-tenant-id", "client-id": "test-client-id", - }) + }, nil) if err != nil { t.Fatalf("unexpected error creating OIDC credential: %v", err) } @@ -367,7 +367,7 @@ func TestTryCreateOIDCCredential(t *testing.T) { os.Unsetenv(envActionsIDTokenRequestToken) }() - actual, _ := CreateOIDCCredential(tc.cred) + actual, _ := CreateOIDCCredential(tc.cred, nil) if tc.expectedParameters == nil { if actual != nil { t.Fatalf("expected no credential, but got %+v", actual) diff --git a/internal/oidc/oidc_registry.go b/internal/oidc/oidc_registry.go index ce8f702..f585761 100644 --- a/internal/oidc/oidc_registry.go +++ b/internal/oidc/oidc_registry.go @@ -18,8 +18,9 @@ import ( // and avoids key collisions when multiple registries share a host with // different paths. type OIDCRegistry struct { - byHost map[string][]oidcEntry - mutex sync.RWMutex + byHost map[string][]oidcEntry + mutex sync.RWMutex + transport http.RoundTripper } type oidcEntry struct { @@ -28,10 +29,12 @@ type oidcEntry struct { credential *OIDCCredential } -// NewOIDCRegistry creates an empty registry. -func NewOIDCRegistry() *OIDCRegistry { +// NewOIDCRegistry creates an empty registry. transport is used for outbound OIDC token requests +// and should be the same secure transport used by the rest of the proxy. +func NewOIDCRegistry(transport http.RoundTripper) *OIDCRegistry { return &OIDCRegistry{ - byHost: make(map[string][]oidcEntry), + byHost: make(map[string][]oidcEntry), + transport: transport, } } @@ -48,7 +51,7 @@ func (r *OIDCRegistry) Register( urlFields []string, registryType string, ) (*OIDCCredential, string, bool) { - oidcCredential, _ := CreateOIDCCredential(cred) + oidcCredential, _ := CreateOIDCCredential(cred, r.transport) if oidcCredential == nil { return nil, "", false } diff --git a/internal/oidc/oidc_registry_test.go b/internal/oidc/oidc_registry_test.go index c189868..32352bc 100644 --- a/internal/oidc/oidc_registry_test.go +++ b/internal/oidc/oidc_registry_test.go @@ -56,7 +56,7 @@ func azureCredWithRegistry(tenantID, clientID, registry string) config.Credentia func TestOIDCRegistry_Register_SingleCredential(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages") oidcCred, key, ok := r.Register(cred, []string{"url"}, "test registry") @@ -68,7 +68,7 @@ func TestOIDCRegistry_Register_SingleCredential(t *testing.T) { func TestOIDCRegistry_Register_URLFieldPriority(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := config.Credential{ "type": "test_registry", @@ -86,7 +86,7 @@ func TestOIDCRegistry_Register_URLFieldPriority(t *testing.T) { func TestOIDCRegistry_Register_FallsBackToHost(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := config.Credential{ "type": "test_registry", @@ -106,7 +106,7 @@ func TestOIDCRegistry_Register_NotOIDC(t *testing.T) { t.Setenv(envActionsIDTokenRequestURL, "") t.Setenv(envActionsIDTokenRequestToken, "") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := config.Credential{ "type": "test_registry", "url": "https://registry.example.com", @@ -121,7 +121,7 @@ func TestOIDCRegistry_Register_NotOIDC(t *testing.T) { func TestOIDCRegistry_Register_NoKeyAvailable(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) // Credential with OIDC params but no URL or host cred := config.Credential{ @@ -143,7 +143,7 @@ func TestOIDCRegistry_TryAuth_SingleCredential(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages") r.Register(cred, []string{"url"}, "test registry") @@ -162,7 +162,7 @@ func TestOIDCRegistry_TryAuth_SameHostDifferentPaths_NoCollision(t *testing.T) { mockAzureOIDC(t, "tenant-A", "token-feed-A") mockAzureOIDC(t, "tenant-B", "token-feed-B") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) // Two registries on the same host with different paths credA := azureCredWithURL("tenant-A", "client-A", @@ -200,7 +200,7 @@ func TestOIDCRegistry_TryAuth_HostOnlyMatchesAnyPath(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) // Register with host only (no path) cred := config.Credential{ @@ -221,7 +221,7 @@ func TestOIDCRegistry_TryAuth_HostOnlyMatchesAnyPath(t *testing.T) { func TestOIDCRegistry_TryAuth_NoMatch(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages") r.Register(cred, []string{"url"}, "test registry") @@ -236,7 +236,7 @@ func TestOIDCRegistry_TryAuth_NoMatch(t *testing.T) { func TestOIDCRegistry_TryAuth_WrongPathNoMatch(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://pkgs.dev.azure.com/org/_packaging/feed-A/npm/registry/") @@ -257,7 +257,7 @@ func TestOIDCRegistry_RegisterURL(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) // Register primary URL cred := azureCredWithURL("tenant-1", "client-1", "https://nuget.example.com/v3/index.json") @@ -278,7 +278,7 @@ func TestOIDCRegistry_RegisterURL(t *testing.T) { func TestOIDCRegistry_TryAuth_PortMismatch(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com:8443/packages") r.Register(cred, []string{"url"}, "test registry") @@ -292,7 +292,7 @@ func TestOIDCRegistry_TryAuth_PortMismatch(t *testing.T) { func TestOIDCRegistry_Register_RegistryField(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithRegistry("tenant-1", "client-1", "ghcr.io") _, key, ok := r.Register(cred, []string{"registry"}, "docker registry") @@ -308,7 +308,7 @@ func TestOIDCRegistry_TryAuth_PathSpecificBeatsHostOnly(t *testing.T) { mockAzureOIDC(t, "tenant-1", "__host_only_token__") mockAzureOIDC(t, "tenant-2", "__path_specific_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) hostOnlyCred := config.Credential{ "type": "test_registry", @@ -336,7 +336,7 @@ func TestOIDCRegistry_TryAuth_LongestPathPrefixWins(t *testing.T) { mockAzureOIDC(t, "tenant-1", "__short_prefix_token__") mockAzureOIDC(t, "tenant-2", "__long_prefix_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) shortPrefixCred := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages") longPrefixCred := azureCredWithURL("tenant-2", "client-2", "https://registry.example.com/packages/private") @@ -358,7 +358,7 @@ func TestOIDCRegistry_TryAuth_CaseInsensitiveHost(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://Registry.Example.COM/packages") r.Register(cred, []string{"url"}, "test registry") @@ -396,7 +396,7 @@ func TestOIDCRegistry_TryAuth_Cloudsmith_UsesAPIKey(t *testing.T) { defer httpmock.DeactivateAndReset() mockCloudsmithOIDC(t, "my-org", "__cs_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := cloudsmithCred("my-org", "my-service", "https://cloudsmith.io", "https://dl.cloudsmith.io/basic/my-org/my-repo") r.Register(cred, []string{"url"}, "test registry") @@ -431,7 +431,7 @@ func TestOIDCRegistry_TryAuth_GCP_UsesBearer(t *testing.T) { defer httpmock.DeactivateAndReset() mockGCPOIDC(t, "__gcp_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := gcpCred("projects/123/locations/global/workloadIdentityPools/pool/providers/prov", "https://us-central1-python.pkg.dev/my-project/my-repo/simple") r.Register(cred, []string{"url"}, "test registry") @@ -450,7 +450,7 @@ func TestOIDCRegistry_TryAuth_GCP_DockerUsesBasicAuth(t *testing.T) { defer httpmock.DeactivateAndReset() mockGCPOIDC(t, "__gcp_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := gcpCred("projects/123/locations/global/workloadIdentityPools/pool/providers/prov", "https://us-central1-docker.pkg.dev/my-project/my-repo") r.Register(cred, []string{"url"}, "docker registry") @@ -469,7 +469,7 @@ func TestOIDCRegistry_TryAuth_GCP_DockerUsesBasicAuth(t *testing.T) { func TestOIDCRegistry_Register_IndexURLField(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCred("tenant-1", "client-1") cred["index-url"] = "https://pkgs.dev.azure.com/org/_packaging/feed/pypi/simple" @@ -486,7 +486,7 @@ func TestOIDCRegistry_TryAuth_URLWithoutProtocol(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCred("tenant-1", "client-1") cred["url"] = "registry.example.com/packages" @@ -505,7 +505,7 @@ func TestOIDCRegistry_RegisterURL_MultipleOnSameHost(t *testing.T) { defer httpmock.DeactivateAndReset() mockAzureOIDC(t, "tenant-1", "__test_token__") - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred := azureCredWithURL("tenant-1", "client-1", "https://nuget.example.com/v3/index.json") oidcCred, _, ok := r.Register(cred, []string{"url"}, "nuget feed") @@ -527,7 +527,7 @@ func TestOIDCRegistry_RegisterURL_MultipleOnSameHost(t *testing.T) { func TestOIDCRegistry_Register_NoDuplicateEntries(t *testing.T) { setupOIDCEnv(t) - r := NewOIDCRegistry() + r := NewOIDCRegistry(nil) cred1 := azureCredWithURL("tenant-1", "client-1", "https://registry.example.com/packages") cred2 := azureCredWithURL("tenant-2", "client-2", "https://registry.example.com/packages") diff --git a/proxy.go b/proxy.go index 4546034..6b33e39 100644 --- a/proxy.go +++ b/proxy.go @@ -88,46 +88,46 @@ func newProxy(envSettings config.ProxyEnvSettings, cfg *config.Config, blockedIp proxy.OnRequest().DoFunc(gitServerHandler.HandleRequest) proxy.OnResponse().DoFunc(gitServerHandler.HandleResponse) - npmRegistryHandler := handlers.NewNPMRegistryHandler(cfg.Credentials) + npmRegistryHandler := handlers.NewNPMRegistryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(npmRegistryHandler.HandleRequest) hexOrganizationHandler := handlers.NewHexOrganizationHandler(cfg.Credentials) proxy.OnRequest().DoFunc(hexOrganizationHandler.HandleRequest) - hexRepositoryHandler := handlers.NewHexRepositoryHandler(cfg.Credentials) + hexRepositoryHandler := handlers.NewHexRepositoryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(hexRepositoryHandler.HandleRequest) - pythonHandler := handlers.NewPythonIndexHandler(cfg.Credentials) + pythonHandler := handlers.NewPythonIndexHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(pythonHandler.HandleRequest) - composerHandler := handlers.NewComposerHandler(cfg.Credentials) + composerHandler := handlers.NewComposerHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(composerHandler.HandleRequest) dockerRegistryHandler := handlers.NewDockerRegistryHandler(cfg.Credentials, transport, nil) proxy.OnRequest().DoFunc(dockerRegistryHandler.HandleRequest) - rubyGemsServerHandler := handlers.NewRubyGemsServerHandler(cfg.Credentials) + rubyGemsServerHandler := handlers.NewRubyGemsServerHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(rubyGemsServerHandler.HandleRequest) nugetFeedHandler := handlers.NewNugetFeedHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(nugetFeedHandler.HandleRequest) - mavenRepositoryHandler := handlers.NewMavenRepositoryHandler(cfg.Credentials) + mavenRepositoryHandler := handlers.NewMavenRepositoryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(mavenRepositoryHandler.HandleRequest) - terraformRegistryHandler := handlers.NewTerraformRegistryHandler(cfg.Credentials) + terraformRegistryHandler := handlers.NewTerraformRegistryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(terraformRegistryHandler.HandleRequest) - pubRepositoryHandler := handlers.NewPubRepositoryHandler(cfg.Credentials) + pubRepositoryHandler := handlers.NewPubRepositoryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(pubRepositoryHandler.HandleRequest) - cargoRegistryHandler := handlers.NewCargoRegistryHandler(cfg.Credentials) + cargoRegistryHandler := handlers.NewCargoRegistryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(cargoRegistryHandler.HandleRequest) - goProxyServerHandler := handlers.NewGoProxyServerHandler(cfg.Credentials) + goProxyServerHandler := handlers.NewGoProxyServerHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(goProxyServerHandler.HandleRequest) - helmRegistryHandler := handlers.NewHelmRegistryHandler(cfg.Credentials) + helmRegistryHandler := handlers.NewHelmRegistryHandler(cfg.Credentials, transport) proxy.OnRequest().DoFunc(helmRegistryHandler.HandleRequest) proxy.OnResponse().DoFunc(cacher.OnResponse)